Video Screencast Help
Security Response
Showing posts in English
Symantec Security Response | 14 Sep 2006 07:00:00 GMT | 0 comments

Just days after Microsoft's September PatchTuesday announcement, Security Response has confirmed that there is anew Internet Explorer zero-day vulnerability. Because this is anunpatched vulnerability with proof-of-concept exploit code available,Symantec Security Response is considering this to be rated as"critical". The vulnerability itself was announced by XSec.

Uponfurther analysis, we have determined that the vulnerability is, infact, a buffer overflow related to how Internet Explorer tries toinstantiate a certain DirectionAnimation COM object as an ActiveXcontrol. At this point, we believe that successful exploitation of thisvulnerabilitiy may allow an attacker to execute remote code on thecompromised system.

There is no patch available from Microsoft for this particularzero-day exploit, as of yet. In order to provide proactive protectionto our customers against malicious attacks that attempt to leverage thevulnerability, Symantec Security Response is...

Liam O Murchu | 14 Sep 2006 07:00:00 GMT | 0 comments

There is a relatively new annoyance called "spim" that seems to be popping up on our screens more frequently. Spim is the equivalent of spam (unsolicited email, usually selling snake oil) that is delivered over instant messaging clients. After recently receiving more spim, which was advertising what I believed to be a spyware product, it occurred to me that the best tricks are still the oldest ones. With the recent attention that spyware applications are receiving, it is easy to overlook some of the simpler, more direct methods of spying. Spyware applications are not the only way people can catch their spouses cheating (!). The spim message I received was advertising a “catch your spouse cheating service”. No download necessary, no application to install, no hidden software on your spouse’s computer.

The service is based strictly on social engineering. It is a “very straightforward service”, as it is explained on their Web site. For a fee of only $49.95, this...

Zulfikar Ramzan | 13 Sep 2006 07:00:00 GMT | 0 comments

Last year, researchers at Indiana University performed a fascinating study on the potential impact of a phishing attack that included some form of relevant context. It was felt that it wouldn't be much longer before phishers harnessed the power of contextual techniques. The academic work I'm referring to, entitled "Social Phishing", involved an experiment where researchers at Indiana University first mined available resources (social networking sites, etc.) to determine who was friends with who. Then, they launched a mock phishing attack to see how individuals responded to a phishing email when the email message was forged to appear as if one of their friends sent it. It turned out that 72% of email recipients fell for the ruse and divulged sensitive credentials (compared to 15% in the "control" group that received an email from a random stranger).

At the time of the study, we weren't really aware of phishers trying to use the same trick to increase the...

Ben Greenbaum | 12 Sep 2006 07:00:00 GMT | 0 comments

Well, once again we find ourselves faced with the monthly ritual known as "Microsoft Patch Day”. This time around the ordeal is relatively minor, with only three new items in the bucket. Two of these items could potentially result in attacker-supplied code being run on a target system, but both are reliant on other limiting factors, which greatly reduce the global stress level associated with Patch Tuesday. All items, of course, are still worthy of close inspection by any admin to see if they apply to the machines and networks that they are responsible for.

The first issue we’ll address in this blog is the PGM overflow vulnerability (MS06-052, CVE-2006-3442, BID 19922). This is the most severe of the issues presented this month because it allows an attacker to execute arbitrary code remotely on the affected system. So then, what’s the good news? Well, the affected code is in MSMQ3....

Marc Fossi | 11 Sep 2006 07:00:00 GMT | 0 comments

The end of summer is upon us—everyone isback from their holidays and the kids are headed back to school. Itseems that we were given a bit of a jolt in August to wake us all upfrom our relaxation, though. There were plenty of security headlines tokeep us all on our toes.

In early August, AOL publicly posted 20 million search keywords thathad been entered by its users. The data was supposed to be used byresearchers and was listed using numerical identifiers in order togroup specific keywords per user, instead of identifying the actualusers’ names. Unfortunately, some of the AOL users had entered searchterms that personally identified them, such as their own names or namesof family members. AOL pulled the keyword lists offline, but the listshad already been copied and posted in other forums. While those of usin the security industry have told people for years to be careful ofentering personal information into questionable Web sites, I don’tthink search engines were really...

Mimi Hoang | 08 Sep 2006 07:00:00 GMT | 0 comments

Symantec uses the term “security risks” to refer to programs such as adware, spyware, and other potentially unwanted programs. Our hands-on analysis of these programs results in risk designations of high, medium, or low. These risk ratings are calculated across four different categories:
• Performance impact: The measure of the effect that a particular program has on a system’s stability and speed.
• Ease of removal: The measure of the difficulty of removing the program from a system.
• Privacy: The type of information that is being captured and whether or not it is personally identifiable.
• Stealth: Measuring to what extent programs may install without the user noticing and/or try to remain hidden to evade detection and removal.

Unlike malicious code threats, which are automatically removed, a security risk program may be acceptable to one enterprise or home user and not acceptable to another. Classifying security risks helps guide users in making...

Peter Ferrie | 07 Sep 2006 07:00:00 GMT | 0 comments

I’ll admit right now that this entry is a tease, because I can't tell you how I did it. However, I'll start by saying that there are some people out there who are claiming that hardware-assisted hypervisors are completely undetectable and some people who are claiming that they are not.

The people claiming that hard-assisted hypervisors are undetectable are basing their argument on several things. First, the sensitive instructions that allow detection of software-based VMMs are trapped by a hardware-assisted hypervisor so that they can be emulated appropriately, if necessary. Second, some registers already have hardware-backed shadow copies; so, as an example, trying to leave paged protected mode (which is not permitted—not even in root mode) might seem like it worked, but it didn't really, because the hypervisor will simply switch the guest into v86 mode and the shadow CR0 will be lying to you. Third, the delivery of physical memory can be intercepted and empty pages...

Dave Cole | 06 Sep 2006 07:00:00 GMT | 0 comments

Last month, I blogged on the security and privacy implications surrounding Web 2.0, but left a little for another day. Following up after this year’s Black Hat, where Web 2.0 issues were cast into the spotlight, I’m here to finish what I started and provide an update on some interesting happenings.

Since my last post
To begin with, the potential for AJAX to empower sophisticated JavaScript malware and a host of invasive Web applications was demonstrated at Black Hat in Las Vegas. From port scanning to fingerprinting and basic network mapping, all done using the AJAX group of technologies, it’s clear that we’ve only begun to see what’s possible via malicious Web sites. While they may not have the immediate impact of a...

Ollie Whitehouse | 05 Sep 2006 07:00:00 GMT | 0 comments

In a time not so long ago the world was a very different place—in terms of mobile phone software upgrades at least. For many years now, several smaller companies in the cellular handset industry have provided a means for users to upgrade the firmware of their devices at home. These firmware upgrades are typically carried out using a computer—on which the firmware files are stored—and a connecting cable (or desk stand) for the cellular device. Sadly, this was not always true for the larger players; the result of which was that when a vulnerability was discovered, the user would first have to learn of it and then take their handset into a service center to be upgraded. This method isn’t very practical and would be pretty low on the priority list for most, if not all but the seriously security conscious.

Well, I applaud Nokia for their recent change of heart to allow users to perform...

Hon Lau | 03 Sep 2006 07:00:00 GMT | 0 comments

In recent months there has been a lot ofactivity around the discovery and exploitation of vulnerabilities inthe Microsoft Office 2003 suite of applications. This activity led tothe discovery of a large number of vulnerabilities in Microsoft Word,PowerPoint, and Excel; many of which were incorporated into newTrojans, such as the Trojan.PPDropper and Trojan.MDropper families. Asa result, Microsoft has spent a fair amount time and effort in patchingsecurity vulnerabilities in its Office 2003 suite.

In thepast couple of days, we have seen samples of a Trojan that exploits apreviously unknown vulnerability in Microsoft's Office applications.This time, it is in Microsoft Word 2000 running on Windows 2000. ThisTrojan (detected by Symantec products as Trojan.MDropper.Q)takes advantage of the vulnerability to drop another file onto thetarget computer....